Hi all,
Our Runner has stopped working and after a day of bashing my head against this I’m no closer to understanding what is going on.
Our pipelines use images from an AWS ECS registry, and they fail immediately to pull the specified image:
Running with gitlab-ci-multi-runner 1.11.5 (cbfcb5c)
on alpine (cde79fa3)
Using Docker executor with image ***.dkr.ecr.***.amazonaws.com/***:latest ...
Pulling docker image ***.dkr.ecr.***.amazonaws.com/***:latest ...
ERROR: Preparation failed: API error (500): Get https://***.dkr.ecr.***.amazonaws.com/v2/***/manifests/latest: no basic auth credentials
Will be retried in 3s ...
With the AWS ECS registry comes the need to be logged in, and so I’ve configured the machine with the AWS CLI and run the $(aws ecr get-login --no-include-email)
command. docker pull <image url>
works just fine SSHed into the machine.
What is GitLab CI Runner actually saying with the “no basic auth credentials” error? I assume it doesn’t have credentials, but, where does it look? docker pull
works fine via SSH, so why wouldn’t it work here?
# cat /etc/gitlab-runner/config.toml
concurrent = 1
check_interval = 0
[[runners]]
name = "alpine"
url = "http://***/"
token = "cde***"
executor = "docker"
[runners.docker]
tls_verify = false
image = "alpine:latest"
privileged = true
disable_cache = true
volumes = ["/cache"]
[runners.cache]
# cat ~/.docker/config.json
{
"HttpHeaders": {
"User-Agent": "Docker-Client/17.12.1-ce (linux)"
},
"proxies": {
"default": {
"httpProxy": "http://***:3128",
"httpsProxy": "http://***:3128"
}
},
"credsStore": "ecr-login"
}
And the ecr-login credentials store then contains the token granting access to ECR. I set this up following the documentation from AWS ECR.